Skip to content

Commit

Permalink
Merge pull request #1533 from ratify-project/dev
Browse files Browse the repository at this point in the history
chore: merge dev into main 6-6-24
  • Loading branch information
akashsinghal authored Jun 6, 2024
2 parents c92687d + 59d2f8c commit b6a5701
Show file tree
Hide file tree
Showing 45 changed files with 963 additions and 398 deletions.
7 changes: 6 additions & 1 deletion .github/codecov.yml
Original file line number Diff line number Diff line change
@@ -1,2 +1,7 @@
ignore:
- "./api" # ignore folders and all its contents
- "./api" # ignore folders and all its contents
coverage:
status:
patch:
default:
target: 80%
8 changes: 4 additions & 4 deletions .github/workflows/build-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.29.2"]
GATEKEEPER_VERSION: ["3.15.0"]
GATEKEEPER_VERSION: ["3.16.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
Expand All @@ -36,7 +36,7 @@ jobs:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.28.7", "1.29.2"]
GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
Expand All @@ -52,7 +52,7 @@ jobs:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.27.9", "1.29.2"]
GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
uses: ./.github/workflows/e2e-aks.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
Expand All @@ -79,7 +79,7 @@ jobs:
go-version: '1.21'

- name: Az CLI login
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
Expand Down
28 changes: 28 additions & 0 deletions .github/workflows/clean-dev-package.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: clean-dev-package

on:
workflow_dispatch:

permissions:
contents: read

jobs:
cleanup-packages:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Clean up ratify-crds-dev
uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
with:
package-name: 'ratify-crds-dev'
package-type: 'container'
min-versions-to-keep: 7
delete-only-pre-release-versions: "true"
- name: Clean up ratify-dev
uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
with:
package-name: 'ratify-dev'
package-type: 'container'
min-versions-to-keep: 7
delete-only-pre-release-versions: "true"
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@ jobs:
with:
go-version: "1.21"
- name: Initialize CodeQL
uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # tag=v3.25.6
uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
with:
languages: go
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # tag=v3.25.6
uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
7 changes: 4 additions & 3 deletions .github/workflows/e2e-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ on:
gatekeeper_version:
description: 'Gatekeeper version'
required: true
default: '3.15.0'
default: '3.16.0'
type: string

jobs:
Expand All @@ -24,6 +24,7 @@ jobs:
AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3
runs-on: ubuntu-latest
timeout-minutes: 30
environment: azure-test
Expand All @@ -38,7 +39,7 @@ jobs:
with:
go-version: '1.21'
- name: Az CLI login
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
Expand All @@ -60,7 +61,7 @@ jobs:
- name: Run e2e on Azure
run: |
make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }}
make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }}
- name: Upload artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-k8s.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ on:
gatekeeper_version:
description: 'Gatekeeper version'
required: true
default: '3.15.0'
default: '3.16.0'
type: string

jobs:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-dev-assets.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
echo ::set-output name=baseref::${REPOSITORYBASE}
echo ::set-output name=crdref::${REPOSITORYCRD}
- name: docker login
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-package.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
run: |
echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
- name: docker login
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-sample.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
echo "REPOSITORY=${{ env.REGISTRY }}/${{ github.repository }}" >> $GITHUB_ENV
- name: Log in to the GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
go-version: '1.21'

- name: Goreleaser
uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
version: '1.18.0'
args: release --rm-dist
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/run-full-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@ on:
pull_request:
branches:
- main
- 1.0.0*
- release*
push:
branches:
- 1.0.0*
- release*
- main
workflow_dispatch:

Expand All @@ -25,7 +25,7 @@ jobs:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.28.7", "1.29.2"]
GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
Expand All @@ -40,7 +40,7 @@ jobs:
fail-fast: false
matrix:
KUBERNETES_VERSION: ["1.27.9", "1.29.2"]
GATEKEEPER_VERSION: ["3.13.0", "3.14.0", "3.15.0"]
GATEKEEPER_VERSION: ["3.14.0", "3.15.0", "3.16.0"]
uses: ./.github/workflows/e2e-aks.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
Expand All @@ -67,7 +67,7 @@ jobs:
go-version: '1.21'

- name: Az CLI login
uses: azure/login@6b2456866fc08b011acb422a92a4aa20e2c4de32 # v2.1.0
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
client-id: ${{ env.AZURE_CLIENT_ID }}
tenant-id: ${{ env.AZURE_TENANT_ID }}
Expand Down
73 changes: 73 additions & 0 deletions .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
name: scan_vulns
on:
push:
paths-ignore:
- "docs/**"
- "library/**"
- "**.md"
pull_request:
paths-ignore:
- "docs/**"
- "library/**"
- "**.md"
workflow_dispatch:

permissions: read-all

jobs:
govulncheck:
name: "Run govulncheck"
runs-on: ubuntu-22.04
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: "1.22"
check-latest: true
- uses: golang/govulncheck-action@dd0578b371c987f96d1185abb54344b44352bd58 # v1.0.3

scan_vulnerabilities:
name: "[Trivy] Scan for vulnerabilities"
runs-on: ubuntu-22.04
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29

- name: Download trivy
run: |
pushd $(mktemp -d)
wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
env:
TRIVY_VERSION: "0.46.0"

- name: Run trivy on git repository
run: |
trivy fs --format table --ignore-unfixed --scanners vuln .
- name: Build docker images
run: |
make e2e-build-local-ratify-image
make e2e-build-crd-image
- name: Run trivy on images for all severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
done
- name: Run trivy on images and exit on HIGH severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
done
6 changes: 5 additions & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
branches:
- main
- dev
pull_request:
branches:
- dev
- main
workflow_dispatch:

permissions: read-all
Expand Down Expand Up @@ -44,6 +48,6 @@ jobs:
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # tag=v3.25.6
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
with:
sarif_file: results.sarif
Loading

0 comments on commit b6a5701

Please sign in to comment.